A data center's physical access log system captures each visitor's identification document numbers along with the visitor's photo. Which of the following sampling methods would be MOST useful to an IS auditor conducting compliance testing for the effectiveness of the system?
An IS auditor reviewing the use of encryption finds that the symmetric key is sent by an email message between the parties. Which of the following audit responses is correct in this situation?
Which of the following is an IS auditor s GREATEST concern when an organization does not regularly update software on individual workstations in the internal environment?
Which of the following is MOST important for the successful establishment of a security vulnerability
Which of the following is necessary for effective risk management in IT governance?
An application used at a financial services organization transmits confidential customer data to downstream applications using a batch process. Which of the following controls would protect this information?
When deciding whether a third party can be used in resolving a suspected security breach, which of the following should be the MOST important consideration for IT management?
Which of the following must be in place before an IS auditor initiates audit follow-up activities?
Which of the following is MOST likely to be detected by an IS auditor applying data analytic techniques?
Which of the following presents the GREATEST concern when implementing data flow across borders?
Which of the following is the BEST solution to minimize risk from security flaws introduced by developers using open source libraries?
Which of the following would be the MOST appropriate reason for an organization to purchase fault-tolerant hardware?
Which of the following is an objective of data transfer controls?
When developing metrics to measure the contribution of IT to the achievement of business goals, the MOST important consideration is that the metrics:
Which of the following is MOST influential when defining disaster recovery strategies?
Which of the following is found in an audit charter?
Which of the following is the GREATEST benefit of utilizing data analytics?
An IS auditor is reviewing the installation of a new server. The IS auditor's PRIMARY objective is to ensure that
An IS auditor is reviewing the key payroll interface that collects wage rates from various business applications to process payroll. Which of the following is MOST likely to cause errors in payroll processing?
In planning a major system development project, function point analysis would assist in:
An organization s audit charter PRIMARILY:
Which of the following is the PRIMARY objective of implementing privacy-related controls within an organization"?
Which of the following is the BEST way to mitigate the risk associated with technology obsolescence?
Which of the following provides an IS auditor with the BEST evidence that a system has been assessed for known exploits?
A large insurance company is about to replace a major financial application. Which of the following is the IS auditor's PRIMARY focus when conducting the pre-implementation review?
Which of the following is the GREATEST concern when an organization allows personal devices to connect to its network?
Which of the following is the PRIMARY reason for an organization's procurement processes to include an independent party who is not directly involved with business operations and related decision-making'?
Which of the following is MOST important for an IS auditor to verify when evaluating an organization's firewall?
During an audit, which of the following would be MOST helpful in establishing a baseline for measuring data quality?
An IS audit manager has been asked to perform a quality review on an audit that the same manager also supervised. Which of the following is (he manager's BEST response to this situation?
Which of the following should be included in emergency change control procedures?
During a post-implementation review, a step in determining whether a project met user requirements is to review the:
Which of the following is the GREATEST concern with conducting penetration testing on an internally developed application in the production environment?
Which of the following issues identified during a postmortem analysis of the IT security incident response process should be of GREATEST concern?
When reviewing an organization's data protection practices, an IS auditor should be MOST concerned with a lack of:
Which of the following MOST efficiently protects computer equipment against short-term reductions in electrical power?
Which of the following should an IS auditor expect to see in a network vulnerability assessment?
An IS auditor attempts to sample for variables in a population of items with wide differences in values but
determines that an unreasonably large number of sample items must be selected to produce the desired
confidence level. In this situation, which of the following is the BEST audit decision?
While conducting a review of project plans related to a new software development, an IS auditor finds the project initiation document (PID) is incomplete. What is the BEST way for the auditor to proceed?
Which of the following is the MAIN risk associated with adding a new system functionality during the development phase without following a project change management process?
The FIRST course of action an investigator should take when a computer is being attacked is to:
Which of the following is the MOST effective control to ensure electronic records beyond their retention periods are deleted from IT systems?
When developing a business continuity plan (BCP), which of the following should be performed FIRST?
An IS auditor finds the timeliness and depth of information regarding the organization's IT projects varies based on which project manager is assigned. Which of the following recommendations would be A MOST helpful in achieving predictable and repeatable project management processes?
Which of the following is MOST influential when defining disaster recovery strategies?
Which of the following findings should be of GREATEST concern to an IS auditor reviewing the effectiveness of an organization's problem management practices?
Which of the following is a directive control?
Which of the following human resources management practices BEST leads to the detection of fraudulent activity?
What is the MOST critical finding when reviewing an organization's information security management?
A post-implementation review of a development project concludes that several business requirements were not reflected in the software requirement specifications. Which of the following should an IS auditor recommend to reduce this problem in the future?
Which of the following is MOST important lo have in place for he continuous improvement of process maturity within a large IT support function?
Which of the following would be MOST important to update once a decision has been made to outsource a critical application to a cloud service provider?
Which of the following BEST enables an IS auditor to detect incorrect exchange rates applied to outward remittance transactions at a financial institution?
A 5 year audit plan provides for general audits every year and application audits on alternating years. To achieve higher efficiency, the IS audit manager would MOST likely:
Which of the following findings should be of GREATEST concern to an IS auditor conducting a forensic analysis following incidents of suspicious activities on a server?
An IS auditor is assigned to review the development of a specific application. Which of the following would be the MOST significant step following the feasibility study?
Which of the following BEST measures project progress?
Within the context of an IT-related governance framework, which type of organization would be considered MOST mature?
Which of the following physical controls will MOST effectively prevent breaches of computer room security?
Which of the following implementation strategies for new applications presents the GREATEST risk during data conversion and migration from an old system to a new system?
The MOST important reason why an IT risk assessment should be updated on a regular basis is to:
When deploying an application that was created using the programming language and tools supported by the cloud provider, the MOST appropriate cloud computing model for an organization to adopt is:
An IS auditor is reviewing a network diagram. Which of the following would be the BEST location for placement of a firewall?
During which phase of the incident management life cycle should metrics such as "mean time to incident discovery" and "cost of recovery" be reported?
The PRIMARY reason to follow up on prior-year audit reports is to determine if
An IS auditor is conducting a pre-implementation review to determine a new system's production readiness. The auditor's PRIMARY concern should be whether:
An IS auditor finds that needed security patches cannot be applied to some of an organization's network devices due to compatibility issues. The organization has not budgeted sufficiently for security upgrades. Which of the following should the auditor recommend be done FIRST?
Which of the following is MOST important for an effective control self-assessment (CSA) program?
When evaluating an IT organizational structure, which of the following is MOST important to ensure has been documented?
An organization is in the process of deciding whether to allow a bring your own device (BYOD) program. If approved, which of the following should be the FIRST control required before implementation''
Following the sale of a business division, employees will be transferred to a new organization, but they will retain access to IT equipment from the previous employer. An IS auditor has recommended that both organizations agree to and document an acceptable use policy for the equipment. What type of control has been recommended?
When performing a post-implementation review, the adequacy of the data conversion effort would BEST be evaluated by performing a thorough review of the:
Which of the following is the BEST way for an IS auditor to ensure the completeness of data collected for advanced analytics during an audit?
Which of the following is a detective control that can be used to uncover unauthorized access to information systems?
Which of the following findings should be of GREATEST concern to an IS auditor reviewing system deployment tools for a critical enterprise application system?
Which of the following is the GREATEST risk associated with the lack of an effective data privacy program?
Which of the following should be of MOST concern lo an IS auditor reviewing the public key infrastructure (PKI) for enterprise email?
Which of the following is the BEST reason to utilize blockchain technology to record accounting transactions?
An IS auditor wants to understand the collective effect of the preventive, detective, and corrective controls for a specific business process. Which of the following should the auditor focus on FIRST?
Which of the following would provide the BEST evidence of the effectiveness of mandated annual security awareness training?
Which of the following is the PRIMARY protocol for protecting outbound content from tampering and eavesdropping?
Which of the following sampling techniques is BEST to use when verifying the operating effectiveness of internal controls during an audit of transactions?